[VIM] vendor ack/fix: 25523: Squirrelcart cart_content.php cart_isp_root Variable Remote File Inclusion

nikns nikns at secure.lv
Wed May 31 09:20:40 EDT 2006


Where is your comment/answer to:
>Why do you take information provided to you by a hacker as fact and post it
>on your website, give him "credit", and then not take the time to at least
>contact the vendor to alert them?

e?:)

On Wed, May 31, 2006 at 07:14:54AM -0400, security curmudgeon wrote:
>
>
>---------- Forwarded message ----------
>From: Lighthouse Development - Sales
>To: moderators at osvdb.org
>Date: Fri, 19 May 2006 16:15:20 -0400
>Subject: [OSVDB Mods] [Change Request] 25523: Squirrelcart cart_content.php
>    cart_isp_root Variable Remote File Inclusion
>
>Hello,
>
>
>
>I am the developer for Squirrelcart shopping cart software. I have a
>question regarding vulnerability 25523, and an update.
>
>
>
>Why do you take information provided to you by a hacker as fact and post it
>on your website, give him "credit", and then not take the time to at least
>contact the vendor to alert them?
>
>
>
>This is the second time in the past 2 years that this has happened to us and
>not a single one of the sites supposedly concerned about security took the
>time to contact us. While you were so kindly contacted by this hacker
>regarding this critical security flaw, we received notification after the
>fact by a customer that was subsequently hacked using information provided
>by one of these security sites.
>
>
>
>Please update your listing. This is incorrect "Currently, there are no known
>upgrades, patches, or workarounds available to correct this issue."
>
>
>
>There has been an update available on our website to patch this since 5/16.
>In addition, the latest version 2.2.3 is not affected.
>
>
>
>Thanks,
>Jamie
>
>Jamie Whitney
>Lighthouse Development
>Squirrelcart.com
>
>
>


More information about the VIM mailing list